From 8eff5a181ddd5a3c90c7da6118c47cbbca434e02 Mon Sep 17 00:00:00 2001 From: Robert <17119716+robmonte@users.noreply.github.com> Date: Tue, 7 Jun 2022 18:22:09 -0500 Subject: [PATCH] Update GCP auth docs (#15855) * Add automatic GCE identity token login --- website/content/docs/auth/gcp.mdx | 48 +++++++++++++++++++------------ 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/website/content/docs/auth/gcp.mdx b/website/content/docs/auth/gcp.mdx index 4b5ace00f60d..b0f6fad6a143 100644 --- a/website/content/docs/auth/gcp.mdx +++ b/website/content/docs/auth/gcp.mdx @@ -75,7 +75,7 @@ management tool. 1. Enable the Google Cloud auth method: - ```text + ```shell-session $ vault auth enable gcp ``` @@ -94,7 +94,7 @@ management tool. For an `iam`-type role: - ```text + ```shell-session $ vault write auth/gcp/role/my-iam-role \ type="iam" \ policies="dev,prod" \ @@ -103,7 +103,7 @@ management tool. For a `gce`-type role: - ```text + ```shell-session $ vault write auth/gcp/role/my-gce-role \ type="gce" \ policies="dev,prod" \ @@ -312,14 +312,14 @@ role. This defaults to 15 minutes and cannot be more than 1 hour. One you have all this information, the JWT token can be signed using curl and [oauth2l](https://github.com/google/oauth2l): -```text +```shell-session ROLE="my-role" SERVICE_ACCOUNT="service-account@my-project.iam.gserviceaccount.com" OAUTH_TOKEN="$(oauth2l header cloud-platform)" EXPIRATION="" JWT_CLAIM="{\\\"aud\\\":\\\"vault/${ROLE}\\\", \\\"sub\\\": \\\"${SERVICE_ACCOUNT}\\\", \\\"exp\\\": ${EXPIRATION}}" -curl \ +$ curl \ --header "${OAUTH_TOKEN}" \ --header "Content-Type: application/json" \ --request POST \ @@ -346,22 +346,32 @@ Read more on the ### GCE -GCE tokens **can only be generated from a GCE instance**. The JWT token can be -obtained from the `service-accounts/default/identity` endpoint for a -instance's metadata server. +GCE tokens **can only be generated from a GCE instance**. -#### curl Example +1. Vault can automatically discover the identity token on a GCE/GKE instance. This simplifies + authenticating to Vault like so: -```text -ROLE="my-gce-role" - -curl \ - --header "Metadata-Flavor: Google" \ - --get \ - --data-urlencode "audience=http://vault/${ROLE}" \ - --data-urlencode "format=full" \ - "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" -``` + ```shell-session + $ vault login \ + -method=gcp \ + role="my-gce-role" + ``` + +1. The JWT token can also be obtained from the `"service-accounts/default/identity"` endpoint for a + instance's metadata server. + + #### Curl example + + ```shell-session + ROLE="my-gce-role" + + $ curl \ + --header "Metadata-Flavor: Google" \ + --get \ + --data-urlencode "audience=http://vault/${ROLE}" \ + --data-urlencode "format=full" \ + "http://metadata/computeMetadata/v1/instance/service-accounts/default/identity" + ``` ## API